How i was able to get 29 free products. | Bug Bounty
2022-8-6 14:21:5 Author: infosecwriteups.com(查看原文) 阅读量:37 收藏

First of all, What is a race condition ?

Race condition occurs when two or more threads can access shared data and they try to change it at the same time. If you have a hard time understanding theoretical stuff, let me give you an example. Let’s say a user has bank accounts A and B. Both A and B has an amount of 500$.

image by https://www.baeldung.com

As you can see we transferred 300$ times from A to B two times. And there is no problem. However, if these two transfers were to perform simultaneously, we may see some problems.

image by www.baeldung.com

We’ve encountered a race condition and transferred 600$ from A to B, even the bank account A got 300$ in the beginning.

My Finding

So the target company is a marketplace for drinks, and there is an monthly subscription. If you are subscribed to the service, you get an free sample every month. The product shows up on your profile and you can add to your basket. I clicked to add basket and captured the request to see what i can do.

An example of the request.

So as soon as i saw the id’s i tried IDOR but there wasn’t an IDOR. So i thought of changing the quantity, i mean this is a sample and free so the quantity can be 10–15 and the price will be still 0. I changed the quantity to 3 and sent the request, but they tought of this one too. So i said why not trying race condition, sent the request to turbo intruder and after i saw all 200’s and took a loook at the responses, i understood there was an race condition.

I love race condition bugs because they are easy to exploit even and very impactful.

If you have questions to ask me, you can contact me on Twitter.

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 Github Repos and tools, and 1 job alert for FREE!


文章来源: https://infosecwriteups.com/how-i-was-able-to-get-29-free-products-bug-bounty-845667ab4ad4?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh